I have run into it again. Another organization that thinks two user identifiers and passwords constitutes two-factor authentication and meets PCI DSS requirement 8.3. With all of the documentation available on the Internet, you would think this topic would be covered cold. However, there seems to still be confusion regarding what constitutes one-, two- and three-factor authentication, so I thought I would take this time to explain these concepts.
Let us talk about the definitions of the three factors of authentication.
- One-factor authentication – this is “something a user knows.” The most recognized type of one-factor authentication method is the password.
- Two-factor authentication – in addition to the first factor, the second factor is “something a user has.” Examples of something a user has are a fob that generates a pre-determined code, a signed digital certificate or even a biometric such as a fingerprint. The most recognized form of two-factor authentication is the ubiquitous RSA SecurID fob.
- Three-factor authentication – in addition to the previous two factors, the third factor is “something a user is.” Examples of a third factor are all biometric such as the user’s voice, hand configuration, a fingerprint, a retina scan or similar. The most recognized form of three-factor authentication is usually the retina scan.
The important thing to notice about the aforementioned definitions is that no where do they mention using two passwords or passphrases, two fingerprints or two retina scans. Such use of two of the same factors is considered multi-factor authentication and is not related to any of the aforementioned definitions. So those of you that are using two different user identifiers and passwords are not using two-factor authentication, you are using multi-factor authentication. The PCI DSS is very specific in requirement 8.3 and requires two-factor authentication or better. So multi-factor is not acceptable.
Another thing to mention is that security purists will argue that using a biometric for a second factor violates the rules of the third factor. However, other security practitioners say that something a user has or they are can be either something like a token or a biometric. Their logic is that a user has a fingerprint or a retina, so it qualifies as either factor. The key is to only use a particular biometric once. So if you use a fingerprint for your second factor, you cannot use a fingerprint for the third factor.
Finally, while obvious, a lot of people miss this point. One-factor is less secure than two-factor which is less secure than three-factor authentication. However, if users properly construct their passwords or passphrases and other logon restrictions are in place, one-factor authentication can be fairly effective against security breaches, possibly in the 90% range. Two factor authentication typically raises the effectiveness to probably around 97 or 98%. And three-factor authentication likely takes things to a six sigma level of effectiveness. Note that even with three-factor authentication you only get to 99.9999% effectiveness. As I have repeatedly pointed out, security is not perfect.
A lot of people do not realize the fact that they use two-factor authentication regularly. In order to use an ATM you need a card (something you have) and a four digit personal identification number or PIN (something you know). Another example that is common these days is in order to enter secure facilities, an authorized user is required to use their HID access card and enter a PIN into a keypad before a door will open. Something to note is that it does not matter the order in which the factors are used. In the case of the ATM and entry examples, you swipe your card (something you have) first and then enter your PIN (something you know).
Just because the second factor is something a user has, does not mean that the user must know they have it. A prime example is in the case of a digital certificate. A lot of organizations issue a digital certificate with their VPN software to provide two-factor authentication. Most users are unaware that they need a digital certificate to make the VPN work. The digital certificate is usually tied to the user or the computer and is installed as part of the installation of the VPN software. The only way a user ever becomes aware of the digital certificate is if it is ever corrupted or becomes out dated resulting in an error when they try to connect to the VPN. (NOTE: In the Council’s Multi-Factor Authentication Information Supplement from 2017, the use of digital certificates as discussed here was disallowed for meeting PCI compliant two-factor authentication.)
Another important point is that in instances where all you use is your HID access card, you are using one-factor authentication. The definitions for the factors were established for ease of learning and memory. However, using any of the factors alone is one-factor authentication. Using each type of factor in conjunction with another, results in two- and three-factor authentication. As such, you can use different combinations of all of the factors to decrease the likelihood of a compromise. For example, in a lot of spy movies, there is an ultra-secure room where to gain entry, you need for example an ID card, a PIN, a retina scan and you need to say your passphrase. This is not an example of four-factor authentication; this is three-factor authentication with the use of two biometric factors (i.e., multi-factor).
Finally, there is a risk in using biometric factors that most people do not like to talk about but is important to consider. People suffer accidents all of the time. Fingers get cut or even removed. Hands get broken or maimed. Eyes become damaged. People lose their voices. As a result, if you are looking to use biometrics for authentication, make sure you plan for such incidents.
Hopefully you now understand the various factors of authentication and understand how they are used.
PCI Guru 